UBUNTU-CVE-2026-26331

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-26331

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26331.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-26331

Upstream

CVE-2026-26331

Published

2026-02-24T03:16:00Z

Modified

2026-02-27T09:59:13Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses --netrc-cmd in their command/configuration or netrc_cmd in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without --netrc-cmd in their arguments or netrc_cmd in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the --netrc-cmd command-line option (or netrc_cmd Python API parameter), or they should at least not pass a placeholder ({}) in their --netrc-cmd argument.

References

Affected packages

Ubuntu:22.04:LTS / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/ubuntu/yt-dlp@2022.04.08-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2021.*

2021.12.01-1

2021.12.27-1

2022.*

2022.01.21-1

2022.02.04-1

2022.03.08.1-1

2022.04.08-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2022.04.08-1",
            "binary_name": "yt-dlp"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26331.json"

Ubuntu:24.04:LTS / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/ubuntu/yt-dlp@2024.04.09-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2023.*

2023.07.06-1

2023.10.13-1ubuntu1

2023.11.16-1

2023.12.30-1ubuntu1

2024.*

2024.03.10-1

2024.04.09-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2024.04.09-1",
            "binary_name": "yt-dlp"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26331.json"

Ubuntu:25.10 / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/ubuntu/yt-dlp@2025.09.23-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2025.*

2025.03.27-1

2025.04.30-1

2025.05.22-1

2025.06.09-1

2025.06.25-1

2025.06.30-1

2025.07.21-1

2025.08.11-1

2025.08.20-1

2025.08.22-1

2025.08.27-1

2025.09.05-1

2025.09.23-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2025.09.23-1",
            "binary_name": "yt-dlp"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26331.json"